Debian Linux Suffers From 'Major Security Flaw,' Gartner Warns

A popular distribution of the Linux open source operating system is vulnerable to hacks that could leave users' personal data exposed to identity thieves, according to IT consulting group Gartner.

The problem: Debian GNU/Linux's implementation of the Secure Sockets Layer communications protocol "made it easy for attackers to discover encryption keys," Gartner said in its report.

Encryption keys are bits of information that allow computers to interpret coded information.

Debian uses the open source OpenSSL version of Secure Sockets Layer. Gartner said the security glitch can be traced to the fact that Debian developers implemented changes to OpenSSL to fix a memory leak without first consulting the OpenSSL development community.

"The Debian 'fix' resulted in a serious weakness in the OpenSSL random number generator," the researchers said. The vulnerability "highlights one of the risks of using software products that incorporate open-source modules," Gartner said in the report, which was issued last week.

Gartner said the Debian organization was unresponsive to its attempts to contact it about the issue. "We believe this experience confirms our view that open-source process communications require significant improvements," Gartner said.

Debian has issued a patch to fix the problem. Gartner is advising businesses that use Debian GNU/Linux to implement the patch and regenerate all cryptographic keys generated by Debian OpenSSL versions beginning with 0.9.8c-1.

In general, businesses that use open source software need to adopt vulnerability management processes that include an application inventory to identify "open-source software dependencies" and ensure all current patches have been implemented, Gartner said.

The Debian project was launched in 1993 by Purdue University student Ian Murdock.